IT manager accused of extorting employer by blocking hundreds of workstations
Ransomware threats don’t always have to come from outside the victim organization. Take Daniel Rhyne, a 57-year-old man from Kansas City, Missouri, who is accused of locking up and extorting money from his own employer.
Rhyne reportedly worked at an industrial company in Somerset County, New Jersey, late last year. One day in November, he reset the passwords of all network administrator accounts, as well as hundreds of user accounts. He deleted all backups and locked users out of hundreds of servers and thousands of workstations. About an hour later, he emailed everyone to notify them of the attack and demanded a ransom payment in exchange for regaining access.
These claims are made by the FBI, which investigated the attack and later charged the man with extortion involving threatening to damage a protected computer, willful damage to a protected computer, and Internet fraud.
TheFr0zenCrew!
If Rhyne is found guilty on all charges, he could face a total of 35 years in prison and a $500,000 fine. The register defeated.
The FBI shared a few details to back up its claims. For example, Rhyne used Windows’ net user and Sysinternals Utilities’ PsPasswd tool to change people’s passwords to “TheFr0zenCrew!”. Additionally, he kept a hidden virtual machine on his company-issued laptop, which he used to remotely access an admin account. This account had the same password – TheFr0zenCrew!.
He also used his company-issued laptop to search for a number of incriminating items, such as “command line to change password,” “command line to change local administrator password,” and “command line to change local administrator password remotely.”
He was eventually seen arriving at work, logging into his laptop, performing searches, and then viewing the company’s password spreadsheets, all while gaining access to the hidden virtual machine.
Via The register